Risk Assessment —

Obama administration tweaks its cybersecurity plans

The Obama administration is continuing a Bush-era plan to consolidate all …

When it comes to cybersecurity, the Obama administration is taking the same approach to the policies of the Bush administration as it has in so many other areas: there are differences, but they're mainly matters of subtle emphasis and focus. Take the Trusted Internet Connection initiative, which the Bush administration launched in late 2007, and which is aimed at securing the government's network infrastructure by routing all of its network traffic through a smaller number of access points.

The original goals of the TIC program were to establish a baseline set of security practices for government systems that access the Internet, to consolidate all federal Internet access points into about 50 officially certified TICs, and to put in place an audit process to ensure that all government agencies stay in compliance with the program. Of these three goals, it was the network consolidation piece—the entire federal government accessing the Internet through only 50 connections total—that grabbed headlines and caused the most push-back from federal agencies. It's this part that the Obama admin has eased up on, but only a bit.

Roadblocks

All government agencies had a little under a year after the TIC program's launch to completely change their network architectures so that all of their traffic could be squeezed through the 50 or so TICs, at least a few of which would be managed by Sprint. Needless to say, the summer 2008 deadline passed with the goals still a long way from being met. As late as August of last year, various parts of the government were pushing back against the plan.

NASA complained about being asked to reduce its Internet connections down to two TICs because it has sites across the country and it pushes a lot of data. The US Treasury also kicked back, because it didn't want to hand over firewall logs and other traffic data to US-CERT—the stated objection was that the plan would put sensitive taxpayer data in the hands of cybersecurity officials, and that's definitely a fair criticism. But it's also hard to imagine an agency as secretive as the Treasury was in 2008, the year of monster bailouts, wheeling and dealing with the big banks, and extraordinary, "we must save the system at all costs" actions, giving a complete picture of every last byte of its Internet traffic to another federal agency.

To top it all off, the agencies complained of a lack of technical guidance on how they were to implement the TIC plan. In all, the agencies were hoping that the Obama administration would come up with another approach.

Less consolidation, but only a bit less

In a February 4 interview with Federal News Radio, Sean Donelan, program manager for network and infrastructure protection at DHS, gave an update on the status of the TIC program, acknowledging some of the difficulties in implementing such a major change in a short timeframe. He described the original timeframe as "too aggressive," and also said that the program is now hoping to keep the number of TICs down below 100, in the "50 to 100 range."

Donelan followed up with an interview in Network World, where he reiterated the administration's shift in focus from keeping the number of TICs below 50 to first establishing a baseline security policy and then getting the number of TICs down below 100. (Note that a blogger, also at Network World, reported this as an announcement that the TIC program is being effectively "cancelled," and that the government is throwing out its network consolidation plans. That's completely false. There was no OMB announcement to this effect, and massive network consolidation is still in the cards.)

The network consolidation plan is the sort of thing that large corporations use, in combination with a VPN (which the government also plans to deploy) to keep a corporate network secure from Internet-based attacks. Donelan emphasized that this approach will let the government throw a ton of hardware and effort at hardening those 50 access points, and they'll route all of their connections through them, either directly or through a VPN.

Right now, getting everything down to under 100 TICs is a long way off. But the day can't come soon enough for Sprint, which landed a fat contract to be the wireless provider for TIC-compliant federal agencies. When the carrier launches its 4G service in Washington DC this year, it will be one of just three companies that are authorized by the government to provide TIC-compliant connections to federal agencies.

Sounds to me as though both administrations are trying to make governmental computing more secure. Not a security expert, so I don't know whether this is the best approach, but it is good to hear that they are trying something. I seem to read often enough how vulnerable the US government is to hacking by China et al. and it's nice to see that they are paying attention.

@Giggity, I'm a Republican who did NOT vote for Obama and his administration has my tentative approval. At least until a security expert chimes in and tells me why this won't work, or is a bad idea.

Centralization does not make the system itself more vulnerable, in fact, in the case of security, it makes the system less vulnerable because a smaller number of access points have to be defended.

What it does do is make failures/breaches/etc. more catastrophic because they hit a larger set of traffic. The ideal procedure would be to drop down to 50-100 links and set up each site to pipe data to three or four different access points. That way if there was a problem, one of them could be shut down without excessively damaging the whole system.

TIC sounds like the turf war to end all turf wars! TOTAL INFORMATION CONTROL of the entire government for whoever wins. Not sure who to root for in this one. I don't want anyone but the IRS getting my tax data, but I don't want to root for the IRS...

The problem with this plan has always been that there is no Federal backbone network for all the agencies to connect to. Some agencies have their own. DoD does of course, and DoE has it's own backbone network. NASA has several, but I don't think any one of them connects all NASA sites. NOAA is one agency I know of which does not currently have a backbone network. So for lots of government offices, they are being told they can't connect directly to the Internet but aren't being provided with a backbone network they can connect to in order to get to a TIC.

Without a planned (and funded) backbone network what you will end up with is each individual office or agency buying a bunch of individual leased circuits to who knows where. Many of them being much longer (and hence more expensive) than they need to be. Really, it's a horrible oversight on the part of the Feds to have not started building a nationwide inter-agency network years ago. If so much inter and intra agency traffic didn't have to take the commodity Internet in the first place the need for the TICs would be much lower.

Pardon my cluelessness, but what will this accomplish besides making internet access slower for for government systems? Don't pretty much all security breaches involve laptop theft/loss or employee misconduct?

Originally posted by webmaren:Centralization does not make the system itself more vulnerable, in fact, in the case of security, it makes the system less vulnerable because a smaller number of access points have to be defended.

What it does do is make failures/breaches/etc. more catastrophic because they hit a larger set of traffic. The ideal procedure would be to drop down to 50-100 links and set up each site to pipe data to three or four different access points. That way if there was a problem, one of them could be shut down without excessively damaging the whole system.

Good point, but as long as they implement some decent VLAN separation, minimum-access internal firewall policies and fairly strict ACLs, that should make a catastrophic breach much less likely / extensive.

This being a government project however, I'm not going place odds on their adherence to best practices one way or the other

quote:

Originally posted by TheShark:Really, it's a horrible oversight on the part of the Feds to have not started building a nationwide inter-agency network years ago. If so much inter and intra agency traffic didn't have to take the commodity Internet in the first place the need for the TICs would be much lower.

So I have an idea I want you guys to critique. Maybe its time to create a Department of IT (or something) that is responsible for handling the IT/etc of all the other Departments... increasing collaboration and syncing. Does this sound like a good idea?

I think Obama already has a DIT (or whatever it's called). Or maybe I'm just thinking about him appointing an IT-oriented person to chair the FCC?

I'm pretty torn. We need our government infrastructure to be secure against outside influence / intrudance, but every time the government sets up another wall, it seems its used to keep the peasants out of the castle rather than letting them in to protect them. Our gov't is so busy creating more BS programs to reward folks cranking out kids they can't afford or ones who don't want to work for a living, so I hardly expect anything like this to be done in a sane or effective fashion.

Originally posted by jaquinton:So I have an idea I want you guys to critique. Maybe its time to create a Department of IT (or something) that is responsible for handling the IT/etc of all the other Departments... increasing collaboration and syncing. Does this sound like a good idea?

I'll bite. I'm an SE working for a security gateway company that sells and supports several large civilian agencies near DC.

This was the original objective of DHS when it comes to IT security oversight. We all know how well that took hold. It doesn't work well to have one agency telling the other what to do unless that agency has budget control.

Every agency is different (I've seen network diagrams and I've talked to a lot of security admins and CISOs/CIOs), and each has objectives that vary widely. You can't run them all the same way. Consolidating them won't do much good. The most effective way to affect change is to issue enforceable mandates that point to specific operating standards, and then give the agencies the time and resources to complete those objectives.

It's my opinion that their needs to be an improved process for enforcing the mandates that agencies are required to comply with that ties their performance to budget. As with everything in DC, money makes things happen, and that's the only thing people listen to when push comes to shove.